Handling of kerberos machine account password changes (eg domain rejoin)
Andrew Bartlett
abartlet at samba.org
Sun Nov 11 22:10:15 MST 2012
On Fri, 2012-11-02 at 00:15 +1100, Andrew Bartlett wrote:
> On Thu, 2012-11-01 at 07:22 +0100, Andrew Tridgell wrote:
> > The branch, master has been updated
> > via dd60dcf test-chgdcpass: test the ldap case for server password change
> > via 0e6c5c0 s4-ldapclient: cope with logon failure retry in LDAP
> > via b0cc0d5 s4-librpc: set error code to LOGON_FAILURE on RPC fault with access denied
> > via 538dd04 samba-tool: "drs options" does not need a samdb connection
> > via 5d6ae34 s4-librpc: try a 2nd logon for more error cases
>
> > via fce66b2 test_chgdpass: added test for kerberos retry
> > via d4ea637 libcli: use cli_credentials_failed_kerberos_login() to cope with server changes
> > via 994696c auth: added cli_credentials_failed_kerberos_login()
> > from ffb608b util: remove accidently committed hunk
> >
> > http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
>
>
> Alexander,
>
> I wanted to thank you for the chat we just had on IRC about these
> kerberos changes. I think we have determined that it won't hit your use
> case, because we are careful to only remove a ticket once we have some
> evidence that the server it is for won't accept it.
>
> We do take particular care not to just blow away the ccache, because we
> might not have a password to recreate it (and it might, as in your
> application have come from an external kinit or s4u2proxy call).
>
> The reason for the change is to cope with the re-installation of a
> kerberos host, where the rejoin to the domain has no record of the old
> password, and so for up to 10 hours valid tickets in a ccache would be
> rejected, without any attempt to get a fresh ticket.
>
> That said, Kerberos can be a tricky beast, and I'm very happy to
> continue to work with you to address any further concerns you might have
> after your conference.
Alexander,
Just checking back to see when you are available to work on any
remaining concerns for the FreeIPA case here.
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list